Struct UserSalt 

pub struct UserSalt(/* private fields */);

Per-user 128-bit salt held by the HSM. Shredding the salt renders every body_hash derived from it pre-image-unsafe — the crypto-erasure pairing for content hashes.

The buffer is zeroised on drop so in-process handling after an HSM fetch does not leak material into memory dumps. UserSalt is intentionally not Clone to keep a single owner per fetch; callers borrow or re-fetch from the HSM.

Production HSM backends supply UserSalt via the KmsBackend::fetch_user_salt(user_id) -> Result<UserSalt, _> hook — that path keeps the user erasure semantics aligned (DEK + salt drop together under a single delete_user(user_id) call).

Implementations

impl UserSalt

pub fn from_bytes(bytes: [u8; 16]) -> Self

Construct from a 16-byte buffer — normally produced by an HSM fetch_user_salt call. Callers remain responsible for wiping their own buffer after handing it off.

pub fn as_bytes(&self) -> &[u8; 16]

Borrow the salt material — used by compute_body_hash. The returned reference is never persisted; callers feed it straight into BLAKE3.

Trait Implementations

impl Debug for UserSalt

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Drop for UserSalt

fn drop(&mut self)

Executes the destructor for this type.

impl Zeroize for UserSalt

fn zeroize(&mut self)

Zero out this object from memory using Rust intrinsics which ensure the zeroization operation is not “optimized away” by the compiler.